Net Certificate Authority 2003 DC

SOme help if possible,

I have a DC that I am retiring asap but it is an Enterprise CA and has been for the life of the DC and server. This was the main DC that held everything (first ever DC in the domain) until I farmed off the FSMO roles, services etc to other 2008 R2 DC's.

My lack of knowledge with CA's is clearly apparent. We have another Ent CA on a member server that issues certs for wireless and radius access and that is it. It's not issuing certs for anything else.

I'm pretty sure the 2003 CA is not required, but has been issuing a few certs over the last few months to new servers.
 The majority of certs have expired with no ill effects. I would have thought that if it was required for anything, I would have seen ramifications long ago.

Does AD need certs for anything? Again, only 2 out of the 3 DC's have a valid cert from the ENt CA, and the other 2 DC's certs have expired, again, without ill effect.

Can i assume it's just issuing certs based on the fact that it can, as stated in a template somewhere, but they aren't actually required for anything?

I have read an awful lot, but have become more confused the more i read on this, as the majority of things are based on wanting to do something specific, but I don't want to do anything, just find out how to stop issuing certs and then demote and remove to 2003 DC

Can anyone advise?  Let me know if you need further info.  Thanks
LVL 13
leegclystvaleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

CA on DC's locally for approving certificate signing request locally. No need of having any certificates for the DC's from the CA. This would have added when you add this DC into domain. What i would suggest you is, take backup of CA (simply right click Backup CA, don't give any password), keep the db files in safer location. Uninstall the CA role from the server (any way you need to remove the role before demoting the server). wait for few days, if no issues found, you can goahead with further. It can be restored from the backup if you see any issues.
Jakob DigranesSenior ConsultantCommented:
demoting a CA server is pretty straight forward, as long as you take these precautions.

1. from one of the CA servers, start pkiview.msc and take a look at general health of CA environment. This should be rather self explanatory
2. take a note of where the CA you're removing publishes it's CRLs - these locations must be accessible after CA role is removed, IF it still have valid certificate it has issued. If the location is LDAP no actions are needed, if it also is a http:// publication - make sure you copy CRL and point http to a new server.
3. remove all certificate templates that the CA is issuing. The templates are only removed from that server, they're stored in AD and still available to new CA server
4. look at CA server - for issued certificates; when does the last certificate expire? note the date
5. IMPORTANT ! publish a CRL that's valid at least as long as - or longer than - the last certificates expiration date.
6. check PKIVIEW.MSC and make sure that CRL publication of new certificate is still valid
7. backup CA
8. remove CA role (https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r) - Follow guide up to - but not including - step 6

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leegclystvaleAuthor Commented:
Thanks for the replies.

@jacob

When viewing pkiview.msc snap-in from the 2003 DC CA, it shows a Yellow triangle on the 2008r2 CA with the status of Expiring on it's CA cert and AIA location. The cert expires 2039

When viewing pkiview.msc from the 2008r2 CA. there are no warning triangles and all the statuses say OK, for both CA's.

Do you think this might be a schema issue where 2003 DC CA doesn't have the attributes that the 20098r2 CA has? Or what do you think it could be?  I don't want to backup an issue or corruption.

2 - it seems to be using LDAP so that's good, but there is also ticks to "include in CRLs. Clients use this to find Delta CRL locations" and also "include in the CDP extension of issued certificates"  and all other options are all greyed out.
Do i still need to point this http path to the other CA?  


Appreciate the help
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Jakob DigranesSenior ConsultantCommented:
hi ---- if the 2008R2 shows all good - I'd say it's all good.
If the 2003 uses LDAP and no http - there's no need add http no

the "Include in CRL + include in CDP" just tells that the path to both CRL and Delta CRL is added to issued certificates. If they're included (which is good), then the CRL path must be accessible, and given the fact that LDAP path is still accessible - all is good
leegclystvaleAuthor Commented:
Many thanks Jacob.  Nearly there :)

5. IMPORTANT ! publish a CRL that's valid at least as long as - or longer than - the last certificate's expiration date.

So do I add a CRL distribution Point to the 2003 CA pointing to the 2008r2 CA? I am unsure of this - even what type of new CRL to use. LDAP?  Where am I to do this?

Please see attached from 2003 CA

Many thanks
CRL-paths.jpg
Jakob DigranesSenior ConsultantCommented:
the LDAP path you need to do nothing. Just publish the new CRL
for the http path - you can - after server is decomissioned point servername to new web server. But as long as you have the LDAP path you're good
leegclystvaleAuthor Commented:
Thanks

but what is the new CRL?  and where should I add it?

I told you i was confused! :)
Jakob DigranesSenior ConsultantCommented:
from old server - start CA mmc and go to revoked certificates and Right Click and change publication interval to be unti last certificate expires.
then right click again and choose publish both CRL

go to %windir%\system32\certsrv\certenroll\ and retrieve new CRL from here and copy to web publishing folder on new CA server. then change in DNS (after old DC is decomissioned) so that http://oldcaserver/certenroll/ points to new server
leegclystvaleAuthor Commented:
Thanks Jacob.
"from old server - start CA mmc and go to revoked certificates and Right Click and change publication" ... it isn't published as when i right click the only option is "Publish"!  
 If i go to Properties > CRL Publishing Params, CRL pub interval is 1 week, Publish Delta CRL is ticked and PUblication Interval is 1 day

Sorry, This is just one element that confused me, as it only gives me to the option to Publish and not Change Publication.  I will set the Properties to after longest expiry date and then Publish it.

The CRL is not published on the 2008r2 CA either although there are Revoked Certs from retired Servers (cease of Operation).

I am a way off decommissioning the whole server, so can i assume that if i remove all the Certificate  Roles/services etc as per the link you provided, that folder http://oldCAserver/certenroll/ will remain on the old CA until decommissioning?

I assume the attached is because they aren't published yet? (red crosses) See attached CertEnroll folder on 2003 CA

Is this oldserver/certenroll (dns) necessary after longest Certs have expired?  I wanted to kill this 2003 DC and it's name especially, and not reference it at all in DNS or anywhere



The penny is starting to drop Jacob, thanks for your efforts here  :)  appreciate the help
certenroll-2003CA.jpg
Jakob DigranesSenior ConsultantCommented:
Publishing CRLs: Sorry - I see now that my writing wasn't good there. Yes - you cchange interval to way off in the future. And then publish.
The CRL will only be published on the 2003 server, to LDAP and HTTP. If you keep IIS then CRL will be accessible on that server, no probs.

wen last cert from 2003 is expired - it's safe to remove. If last cert is not in use, it's safe to remove.

the red cross is just the icon for CRL. THe CRLs are published when you have the files in the folder.

for verifying validity of a published certificate - you need 3 things:
* a valid root certificate. FOr your part the root is published to AD still after server is removed
* the date time of certificate is not expired (the issued certificate)
* a CRL that is reachable. The path to the CRL is included in the issued certificate. You have both LDAP and HTTP, you only need one - but if you have deployed certs to systems no using WIndows, then CRL must be verified using http (but all windows and AD integrated services can use LDAP)
leegclystvaleAuthor Commented:
Thanks for the good explanation Jacob. Makes much more sense to me now.

I'm pretty sure that I don't need the HTTP CRL so will rely on LDAP solely as it states it will remember the CRL after removal of CA services etc on the 2003 DC

So is it just a case of now following your linked article up to Step 6

1.Revoke ALL issued Certs on Issued Certs
2. Set Increase the CRL publication interval
3. Publish CRL again
4. Deny pending requests - there aren't any
5. Uninstall Certificate Services from the server

Thanks again, it is becoming clearer believe it or not  !!
leegclystvaleAuthor Commented:
This was a great help Jacob. Many thanks for the effort that you put into this, it's much appreciated and seems to have worked perfectly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
certficate

From novice to tech pro — start learning today.